I am developing two web applications where one is a server app and the other is a client app, both are using Spring Security. My use case is such that after a user logs into the server app, the user can then access the client app from links within the server app. Since the user should not have to log in again when they click on these links (part of my requirements), I decided to use a strategy similar to Single SignOn in order to forward their authentication information from the server app to the client app.

On the client app, I am using Spring Security's RequestHeaderAuthenticationFilter to look for a custom request header that is set by the server app.

If this custom header is found, do I have to do any further validation that this request is trustworthy? In Spring's Pre-Authentication doc, RequestHeaderAuthenticationFilter does not perform any authentication and will assume the request to be from the user specified in the SM_USER attribute. How do I ensure that the request is genuine?

How do I send the user from one app to another with a custom header in the http request? Redirecting the request does not work as the header information will be lost. Forwarding does not work as the forwarded request does not go through the configured Spring Security filters on the client app, thus the request is never "authenticated" and no session is created.

A little more info on #2. When the user clicks on the link in the server app, the request gets redirected to a Servlet (on the server app) that will look up the current user in Spring's SecurityContextHolder, add the username as a custom request header as well as the user's granted authorities into the request, and forwards it to the client app, using getServletContext().getContext("/client-app").getRequestDispatcher("/").forward‌​(...)
–
citressSep 7 '12 at 14:53

1 Answer
1

Since I didn't receive any responses, I changed my approach slightly in order to achieve the same SSO behavior. I am answering my own question here to close this issue.

Instead of using the RequestHeaderAuthenticationFilter, I subclassed Spring's AbstractPreAuthenticatedProcessingFilter which retrieves the Principal and Credentials from the HttpRequest. I then implemented a custom preAuthenticatedUserDetailsService that will validate the Credentials with the server app before loading the UserDetails.

As for #2, I am no longer using custom headers in the initial pre-authenticated login request. I am simply appending the principal (username) and credentials as url parameters to the initial pre-authenticated "login" request to the client app. Since the communicated between the two apps are secured via SSL, I figured that should be safe.

Even though you're using SSL, usernames and passwords will end up in your httpd logs. Something to watch out for.
–
sourcedelicaSep 13 '12 at 11:47

Thanks, you bring up a really good point. I'll change that to a forward, and do a redirect once I'm in the client app (which I intend to do anyway for a different purpose).
–
citressSep 13 '12 at 15:07